So I looked at a simda binary today to find they included a new section in the backdoor. Now we have this :

The new section .abk (a... bootkit ?) appears to be TrojanDropper:Win32/Rovnix.H, so it looks like the guys behind simda decided to add a bootkit component to their backdoor (I didn't dig further, but it seems that the driver infection capabilities of simda are still here as well (.driver section + code procedures). I looked at some other fresh TrojanDropper:Win32/Rovnix.H from VT and they all seem to share the same packer, the one used by simda since a very, very long time, and the code looks alike. I extracted the components from the abk binary : LDR (bootkit code), D32 (driver x86), D64 (driver x64). D32 & D64 also contain respectively HST32 & HST64 (dlls, HST = ?). All components are compressed by aplib, and are located in the .rsrc sections.

In the simda configs, we have 2 ips (google.com), the usual domain to download the rootkit module, and the usual google redirections.

Simda with BkLoader added to Bootkits/Rootkits sections, thanks for sharing. I assume we can except this leaked crap now in every somehow average bot.
And there is no need to allocate such huge regions for APLib decompression. Each aplib block described by common structure that has OrigSize in bytes as member and compressed buffer right after this structure.

And there is no need to allocate such huge regions for APLib decompression. Each aplib block described by common structure that has OrigSize in bytes as member and compressed buffer right after this structure.

Actually I just dumped the memory regions allocated where the aplib compressed components were decrypted, they have a fixed size in the code (0x1400 for LDR, 0x19000 for D32 + D64, 0x32000 for HST32 + HST64. So the blame is mostly on the coder of this :]

Edit : I took a look at older binaries to determine when the bkloader was integrated. This one for example (f811bfa8fe5411e10d7ac06fe45a1347) was first submitted a month ago on VT (First submission 2013-05-25 10:23:22 UTC). So the integration of bkloader was made before the carberp sale, and before the leak as well. I don't have earlier samples, so I can't give a precise date for this integration.